mjg59-dreamwidth-org

Two free software organizations have cut ties with Eben Moglen due to documented abusive behavior toward community members and staff. Moglen has used violent rhetoric, screamed at colleagues, and threatened individuals in professional contexts. Defending such abuse harms the free software community.

ACPI was created to address limitations of earlier power management systems like APM, which relied on opaque BIOS calls. ACPI provides a standardized way for operating systems to manage hardware power states without needing device-specific drivers. While it doesn't eliminate all firmware issues, ACPI has generally improved hardware compatibility compared to previous approaches.

Gnome fingerprint unlock doesn't unlock the keyring because Linux lacks a secure enclave like Apple's TouchID system. The fingerprint reader only provides a match/no-match result without releasing secret material to decrypt passwords. There's currently no secure way to store and release keyring decryption secrets based on fingerprint authentication.

The author has implemented SSH protocol extensions to improve host certificate usability, allowing certificate-based trust instead of individual host keys. The system includes key revocation lists signed by certificate authorities to handle compromised keys. This enables seamless key rotation without user intervention when hosts need to replace compromised keys.

The article explains how ELF libraries work with both section headers and program headers, describing how the author discovered Synology NAS libraries missing section headers. They developed a tool to reconstruct missing section headers from program header data to make the libraries usable for linking.

The author encountered streaming issues over a VPN due to packet size limitations. They discovered Fastly's CDN was ignoring ICMP packets that indicated packets were too large for the VPN's MTU. After reporting the issue, Fastly's engineering team fixed the problem.

Expert witnesses in the Craig Wright trial agreed his digital evidence was unreliable. MYOB database records showed signs of being created after 2016 but backdated to 2009-2011. Email evidence contained anachronistic timestamps with headers using formats that didn't exist in 2019.

The SSH agent protocol's extension mechanism allows creating arbitrary remote procedure call channels between local and remote systems. This enables custom communication for purposes like forwarding WebAuthn challenges to local authentication methods. The approach involves implementing an extended agent interface and configuring SSH forwarding for specific hosts.

The dating app Feeld claimed users' preferences were private, but security testing revealed the app's GraphQL API exposed sensitive data like "lookingFor" and "ageRange" fields. Hidden profiles and partnership information were also accessible despite not being displayed in the UI. The issues have since been fixed after being reported to the company.

SBAT (Secure Boot Advanced Targeting) uses generation numbers to revoke vulnerable boot components. Microsoft pushed a Windows update setting minimum SBAT levels for grub due to security vulnerabilities, but it incorrectly affected some dual-boot systems. This caused Linux distributions' Shim bootloaders to refuse to boot older grub versions.

Android 12's privacy improvements removed IMEI and serial numbers from device ID attestation, but key attestation still relies on those identifiers. This creates a mismatch that prevents verifying hardware-backed keys are associated with specific enterprise-enrolled devices.

The article examines whether firmware should be free software, distinguishing between initialization firmware and runtime firmware. It argues that free firmware provides practical benefits like security updates and hardware functionality control, while discussing the Free Software Foundation's approaches to firmware freedom.

The article disputes the FSF's claim that streaming platforms use TPMs for DRM, arguing that hardware-based DRM is actually implemented in GPUs or ARM's TrustZone. It explains that TPMs are too slow for real-time video decryption and cannot interface with GPUs, making them unsuitable for this purpose.

Twitter's encrypted direct messages have multiple security weaknesses, including reliance on Twitter's servers for key distribution and lack of forward secrecy. The feature was developed by only two engineers who are no longer at the company, and none of its limitations have been addressed since launch nearly two years ago.

Twitter's new encrypted DMs still have significant security flaws. The system uses a 4-digit PIN that can be brute-forced, allowing Twitter to potentially access private keys. Additionally, Twitter can intercept messages by providing false public keys and has full access to metadata.

Twitter's encrypted DM infrastructure has security flaws where keys could be swapped without user detection. The system could be improved by proving keys were generated in hardware security modules and embedding them in clients. However, web-based clients remain vulnerable to targeted attacks.

The author describes a method for hosting internet-connected servers from home using a VPS with multiple IP addresses. They use Wireguard to create a VPN tunnel between the local machine and VPS, then configure iptables and policy routing to forward external traffic to the local system while maintaining proper return routing.

The author recounts working on accessibility software Dasher 23 years ago, helping people with communication disabilities. They reflect on the profound impact of accessibility work and the ongoing transition from X11 to Wayland for improving Linux accessibility infrastructure.

The article examines the lack of a consistent single sign-on API flow, especially for CLI applications. Current methods use vulnerable device code flows or browser-based approaches that don't work well with remote systems. The author advocates for a standardized specification to handle authentication and MFA programmatically.

The article explains that while Microsoft's Secure Boot certificates are expiring in 2026, this won't cause systems to stop booting because UEFI firmware doesn't enforce certificate expiry dates. Microsoft is introducing new certificates, but systems will continue to trust old ones, and updates are available to add new certificates to existing systems.

A developer replaced an Amiga's 68000 CPU with a Raspberry Pi running Linux to run Doom directly on the Amiga hardware without emulating 68000 instructions. The project involved converting Doom's pixel-based graphics to the Amiga's planar bitmap format and synchronizing frame updates to avoid graphical glitches. Code for the "Cordoomceps" project is available on GitLab.

A tenant discovered their rental agency sent them a forged PDF contract with an added addendum about security deposit handling. Forensic analysis of PDF metadata and font usage proved the document was edited after signing. The agency's own document signing platform showed the original contract without the addendum as the completed version.

Elon Musk's X Chat claims full encryption but lacks remote attestation, allowing potential key interception. The service uses Juicebox protocol with HSM-backed key storage, but API calls could be manipulated to return different keys. Without proper verification mechanisms, messages could be decrypted by someone with system access.

The author won a defamation lawsuit against Techrights publishers who claimed IRC ping timeouts proved he was behind harassment accounts. Technical analysis shows ping timeouts don't necessarily indicate the same user, as network interruptions can cause disconnections up to 90 seconds apart.

The author announces they are no longer posting content on this platform and directs readers to their new blog location. They note that most feed aggregators have been updated and ask direct subscribers to update their feeds.